Enabling Cisco Switches authentication against ACS

Unanswered Question
Nov 7th, 2006
User Badges:

Hi,

could you post some example of how to configure a switch to have the logins authenticated by an ACS or in case of problems, local user?

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
mchiaravalle_2 Wed, 11/08/2006 - 16:27
User Badges:

I've been using this:


aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 192.168.12.200 key ********


Works fine for me and it gives you the accounting which logs all your device config changes. I'm running ACS v4.0


jorge.s Mon, 11/20/2006 - 02:41
User Badges:

But is there a way to configure the level of access, on the CiscoACS Server? how is it then passed to the Switch? for example a user with access level 15 and another one with 10 and another one with just 5?


Second question, here you are mentioning that all commands 15 will be sent to the ACS Server, can we send it from all the levels? or we need to mention one by one?


Thanks a lot,

Jorge

Here's what AAA/ACS config looks like:


aaa new-model


aaa authentication login default group tacacs+ enable none


aaa authentication enable default group tacacs+ enable none


aaa authorization exec default if-authenticated


aaa authorization commands 1 default group tacacs+ if-authenticated none


aaa accounting exec default start-stop group tacacs+


aaa accounting commands 15 default start-stop group tacacs+


tacacs-server host x.x.x.x key mykey

tacacs-server host x.x.x.x key mykey


This one requires you to enter an enable password to reach level 15 and doesn't use any local accounts as a backup since I don't have any.

jorge.s Mon, 11/20/2006 - 02:42
User Badges:

But is there a way to configure the level of access, on the CiscoACS Server? how is it then passed to the Switch? for example a user with access level 15 and another one with 10 and another one with just 5?


Second question, here you are mentioning that all commands 15 will be sent to the ACS Server, can we send it from all the levels? or we need to mention one by one?


Thanks a lot,

Jorge

Actions

This Discussion